From 988f6d72c55a041b9b382143e2548571a3510abc Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Fri, 4 Oct 2019 20:37:17 +0200 Subject: add osmo_fsm_set_dealloc_ctx(), to help with use-after-free This is a simpler and more general solution to the problem so far solved by osmo_fsm_term_safely(true). This extends use-after-free fixes to arbitrary functions, not only FSM instances during termination. The aim is to defer talloc_free() until back in the main loop. Rationale: I discovered an osmo-msc use-after-free crash from an invalid message, caused by this pattern: void event_action() { osmo_fsm_inst_dispatch(foo, FOO_EVENT, NULL); osmo_fsm_inst_dispatch(bar, BAR_EVENT, NULL); } Usually, FOO_EVENT takes successful action, and afterwards we also notify bar. However, in this particular case, FOO_EVENT caused failure, and the immediate error handling directly terminated and deallocated bar. In such a case, dispatching BAR_EVENT causes a use-after-free; this constituted a DoS vector just from sending messages that cause *any* failure during the first event dispatch. Instead, when this is enabled, we do not deallocate 'foo' until event_action() has returned back to the main loop. Test: duplicate fsm_dealloc_test.c using this, and print the number of items deallocated in each test loop, to ensure the feature works. We also verify that the deallocation safety works simply by fsm_dealloc_test.c not crashing. We should probably follow up by refusing event dispatch and state transitions for FSM instances that are terminating or already terminated: see I0adc13a1a998e953b6c850efa2761350dd07e03a. Change-Id: Ief4dba9ea587c9b4aea69993e965fbb20fb80e78 --- include/osmocom/core/fsm.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/osmocom/core') diff --git a/include/osmocom/core/fsm.h b/include/osmocom/core/fsm.h index 1701c45e..269befa5 100644 --- a/include/osmocom/core/fsm.h +++ b/include/osmocom/core/fsm.h @@ -122,6 +122,7 @@ struct osmo_fsm_inst { void osmo_fsm_log_addr(bool log_addr); void osmo_fsm_log_timeouts(bool log_timeouts); void osmo_fsm_term_safely(bool term_safely); +void osmo_fsm_set_dealloc_ctx(void *ctx); /*! Log using FSM instance's context, on explicit logging subsystem and level. * \param fi An osmo_fsm_inst. -- cgit v1.2.3